We use LDAP (firewall) authentication for non AD devices with a captive portal. Under "User and Device" -> "Authentication" -> "Settings" we have "Authentication Timeout" set to 120. According to the user guide and help this is in mins. We have several user accounts remaning logged in however for very long periods of time (days). Right now I have more than 10 users with a firewall duration from 1 day to 18 days...
As a result if another device comes on campus and gets the same address days later via DHCP then they are "already authenticated" as the previous user?
What am I missing? How can I stop this from happening?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
pmit wrote:What am I missing? How can I stop this from happening?
Maybe take a look at schedule-timeout under Firewall Policy.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Hi,
User authentication timeout is idle timeout by default which means the user/host should not generate any traffic for xxx number of minutes minutes configured under user authentication timeout. In case if any application is generating traffic from user PC, user entry will be kept as long as there is an active session from the host.
You can consider configuring keep alive setting. Whit keepalvie page, user will be redirected to a keepalive page after successful authentication. The keepalive page gives users the option to logout so users can logout before closing their browser/leaving their machines, so Fortigate will automatically de-authenticates the user when user clicks on logout button in keep alive page.
# config system global
# set auth-keepalive enable
# end
Note : If the user closes the keepalive page accidentally, user entry will be de-authenticated as per the configured timeout value, which is 120mins as per your config.
.
Viswa
Hello,
as written in the previous post, the auth timeout is an idle timeout per default.
But this can be changed in the CLI:
config user setting set auth-timeout-type ? idle-timeout Idle timeout. hard-timeout Hard timeout. new-session New session timeout. With the hard-timeout the user will be logged out after the configured amount of time - no matter if he is idle or not...
Regards,
Sylvia
@Dave:
Hi! 'schedule-timeout' only determines what action to take if a policy schedule expires. Without that parameter enabled, the session remains active. With this param enable the session is terminated immediately after the schedule has timed out.
New sessions are not affected - they are not allowed if the schedule has expired, in any case.
But all of this in unrelated to the auth timeout. Sylvia pointed out the method how to 'enforce' the auth-timeout as a duration, and not as an idle period.
if user closes the keepalive page accidentally, user entry has to be de-authenticated and terminated immediately
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1710 | |
1093 | |
752 | |
446 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.